apiVersion: batch/v1
kind: Job
metadata:
  name: runc-guix-builder-contribute
  annotations:
    # Setting spec.force to true will make Flux recreate the Job when any
    # immutable field is changed, forcing the Job to run every time the
    # container image tag changes.
    kustomize.toolkit.fluxcd.io/force: enabled
spec:
  backoffLimit: 0
  template:
    spec:
      hostNetwork: true
      hostPID: true
      restartPolicy: Never
      containers:
      - command:
        - /bin/sh
        - -c
        - |
          nsenter --target "1" --mount --uts --ipc --net --pid --no-fork \
          /run/setuid-programs/sudo --user oleg --login bash <<'EOF'
          set -o nounset -o errexit -o pipefail -o xtrace
          kubectl --namespace=guix exec --stdin=true pod/runc-kube1-guix-builder -- runc exec -u 1000:998 guix-builder /bin/sh -le <<'EOL'
          cd "${HOME}/src/git.savannah.gnu.org/git/guix" || exit 1
          guix shell help2man guile-sqlite3 guile-gcrypt direnv git git:send-email git-cal gnupg guile-colorized guile-readline inetutils less ncurses openssh password-store sshpass xdot which skopeo --development guix <<'EOS'
          set -o nounset -o errexit -o pipefail -o xtrace
          git checkout docker-system
          git reset --hard HEAD
          ./bootstrap
          ./configure --localstatedir=/var --prefix=
          make -j$(nproc)
          make -j$(nproc) check-system TESTS=docker-system
          EOS
          EOL
          EOF
        image: docker-registry.wugi.info/library/util-linux-with-udev
        name: nsenter
        resources:
          limits:
            cpu: 14000m
            memory: 4096Mi
          requests:
            cpu: 50m
            memory: 512Mi
        securityContext:
          privileged: true
